Saturday, June 15, 2019

Katie
Jones sure seemed plugged into Washington’s political scene. The
30-something redhead boasted a job at a top think tank and a
who’s-who network of pundits and experts, from the centrist
Brookings Institution to the right-wing Heritage Foundation. She was
connected to a deputy assistant secretary of state, a senior aide to
a senator and the economist Paul Winfree, who is being considered for
a seat on the Federal Reserve.

But
Katie Jones doesn’t exist, The Associated Press has determined.
Instead, the persona was part of a vast army of phantom profiles
lurking on the professional networking site LinkedIn. And several
experts contacted by the AP said Jones’ profile picture appeared to
have been created by a computer program.

Maryland
Governor Larry Hogan recently signed into law House
Bill 1154(the
“Bill”), which amends the state’s data breach notification law.
Among other obligations, the amendments expand the required actions
a business must take after becoming aware of a data security breach.

Under the existing data breach
notification law, a business that owns or licenses personal
information and becomes aware of a data security breach must conduct
a reasonable, prompt and good faith investigation to determine the
likelihood that personal information has been or will be misused as a
result of the breach. The Bill expands this investigatory
requirement to apply expressly to all businesses that own, license or
maintain the personal information of Maryland residents.

… based
on the risk of harm, “the owner or licensee of the computerized
data shall notify the individual of the breach.”

… if
the business that incurs the security breach is not the owner or
licensee of personal information, that business may not charge the
relevant owner or licensee for information necessary to carry out the
owner or licensee’s notification obligations under Maryland’s
breach law.[This
must have happened once? Bob]

A
Multidisciplinary Assessment of the Stalkerware Application Industry

Part
1 discusses
the harms which are associated with a person being targeted by
stalkerware

Part
2 undertakes
a technical assessment of specific stalkerware applications.

In
Part
3,
we evaluated how companies which sold stalkerware, and software which
could be repurposed as stalkerware, marketed their products to
prospective customers.

Part
4 of
the report undertook a content assessment of companies’ user-facing
public policies.

In
Part
5,
we conducted an assessment of stalkerware companies’ business
practices through the lens of Canada’s federal commercial privacy
law, the Personal Information Protection and Electronic Documents Act
(PIPEDA).

In
Part
6,
we collect our major findings from our multidisciplinary research and
propose a range of recommendations

Rapid progress in AI and robotics is challenging
the traditional boundaries of law. Algorithms are widely employed to
make decisions that have an increasingly far-reaching impact on
individuals and society, potentially leading to manipulation, biases,
censorship, social discrimination, violations of privacy and property
rights, and more. This has sparked a global debate on how to
regulate AI and robotics.

The purpose of this introductory chapter is
twofold. First, it outlines some of the most urgent ethical and
legal issues raised by the use of self-learning algorithms in
Artificial Intelligence (AI) systems and (smart) robotics. Secondly,
it provides an overview of several key initiatives at the
international and European levels on forthcoming AI ethics and
regulation.

Friday, June 14, 2019

This
is the kind of insider breach that makes patients lose confidence in
hospitals. I am not surprised that the jury came down hard on the
hospital. Of the $300,000 award, $295,000 is punitive
damages against the hospital for not doing anything against the
doctor when they were made aware of the problem.

A
Coffee County jury on Tuesday awarded $300,000, including punitive
damages, to plaintiff Amy Pertuit against Medical
Center Enterprise for
illegal access and disclosure of protected health information.

In a unanimous verdict, the jury found
that Medical Center Enterprise failed to take action against its
then-employee, Dr. Lyn Diefenderfer, after it learned that Dr.
Diefenderfer had illegally accessed and disclosed Pertuit’s medical
records.

Belgian
company ASCO Industries, a key leader in manufacturing components for
both civilian and military planes, fell victim to a ransomware attack
on June 7 that shut
down production around the world,
writes
ZDNet.
With all IT systems incapacitated, some 1,000 of 1,400 employees
were sent home.

… The
company has plants in Belgium, Germany, Canada and the US, as well as
office representation in Brazil and France. A week later, the plants
are still closed and an investigation by external experts seeks to
determine the actual damage caused. The infection occurred at the
production plant in Belgium, but the plants in the rest of the
locations were shut down as a precaution to prevent the ransomware
from spreading across the entire network.

To
Congress: If Russians Seek to Provide Dirt, Make it a Requirement to
Report!

Shockingly
– if anything shocks anymore – President Donald Trump told
ABC newsWednesday that he need not tell the
FBI if the Russians once again reached out with an offer of “dirt”
on his opponents in the race for president. When Trump was told that
Christopher Wray, the FBI director the president himself appointed,
saidlast month that this kind of attempted foreign
election interference was something that should be reported to
federal law enforcement, Trump’s response was: “The FBI Director
is wrong.”

The good news
is that Congress is already
working on this issue.
The Anti-Collusion
Act,
introduced Wednesday by Rep. Tom Malinowski (D-N.J.), would require
everyone running for federal, state, or local office to report offers
of assistance from a foreign government or agent of a foreign
government to the Department of Justice.

Why are political reactions so often over
reactions? “We gotta do something” overrides “let’s think
about this.”

Amelia
Vance of the Future of Privacy Forum has an excellent commentary in
the Orlando
Sentinel that
begins:

After
the horrific school shooting in Parkland last year, state legislators
passed a law that included a little-noticed provision creating a new
government database. Education Week recently reportedthat
the database will include a vast range of sensitive, personal
information about Florida students. The state plans to merge
information from social media with records of students who have been
bullied or harassed based on their religion, race, disability, or
gender, plus data about students in foster care. In deciding which
data to include, Florida did not take an evidence-based approach;
instead, the state merely asked agencies and a few districts if they
had any data that might indicate that someone was a threat.

NYT
has a course to teach its reporters data skills and now they’ve
open-sourced it

NiemanLab:
“Should journalists learn to code?” is an old question that has
always had only unsatisfying answers. (That was true even back
before it became
a useful heuristic for identifying Twitter jackasses.)
Some should! Some shouldn’t! Helpful, right? One way the
question gets derailed involves what, exactly, the question-asker
means by “code.” It’s unlikely a city hall reporter will ever
have occasion to build an iPhone app in Swift, or construct a machine
learning model on deadline. But there
is definitely a more basic and straightforward set of technical
skills — around data analysis — that can be of use to nearly
anyone in a newsroom.
It ain’t coding, but it’s also not a skillset every reporter
has. The New York Times wants more of its journalists to have those
basic data skills, and now it’s releasing
the curriculum they’ve built in-houseout
into the world, where it can be of use to reporters, newsrooms, and
lots of other people too…”

“About
Semantic Sanity –
Semantic
Sanityprovides
an adaptive ArXiv feed tailored to your research interests. This
feed uses an AI model that recommends the latest papers
across all ArXiv categories in Computer Science to help you stay up
to date. Our AI model learns from you – when you indicate whether
or not a paper is relevant, your feed will improve. It only takes a
few clicks to see the most relevant research.

More
Features & Benefits

Open
access preprints from all ArXiv categories in Computer Science.

Refine
feeds using categories and keywords.

Save
feeds and papers to read later.

Create
multiple feeds to track diverse research interests…”

Perspective.
This could be difficult for my smartphone using students. Maybe
there’s an App for that?

… Now,
thanks to advancements in technology, we’re at a stage where we can
think about the importance of empathy in machines. Artificial
intelligence (AI) is becoming an ever-increasing presence in our
daily lives, whether it’s the voice assistant on your phone, or the
complex algorithms used to fight diseases.

The
way we design interactions with AI systems and the results they
provide should be thoughtfully considered, and in the future, the
responsibility for designing artificial empathy could fall under the
remit of an empathologist – a job that has yet to exist.

P.E.I.’s privacy watchdog wants Health
PEI to keep closer tabs on one of its employee’s use of patient
health records, following a privacy breach last year at Queen
Elizabeth Hospital.

That’s according to a new report by
Information and Privacy Commissioner Karen Rose, posted May 30.

According to the report, in March 2018, a
patient received a copy of their electronic patient chart from Health
PEI. That chart included a log showing who had accessed the
patient’s health information, and when.

The
commissioner recommended Health PEI introduce
regular auditing of the employee's access to patient
records, with particular attention to the personal health information
of the patient whose privacy was breached.

If
you offer a tool to anyone potentially threatening the state, the
state will react. (Best description of DDoS I have ever seen!)

Encrypted
messaging service Telegram suffered a major cyber-attack that
appeared to originate from China, the company's CEO said Thursday,
linking it to the ongoing political unrest in Hong Kong.

Many
protesters in the city have used Telegram to evade electronic
surveillance and coordinate their demonstrations against a
controversial Beijing-backed plan that would allow extraditions from
the semi-autonomous territory to the mainland.

… "Historically,
all state actor-sized DDoS (200-400 Gb/s of junk) we experienced
coincided in time with protests in Hong Kong (coordinated on
@telegram)," he tweeted.

"This
case was not an exception."

… "Imagine
that an army of lemmings just jumped the queue at McDonald's in front
of you -– and each is ordering a whopper," it said, referring
to the flagship product of Burger King.

"The
server is busy telling the whopper lemmings they came to the wrong
place -– but there are so many of them that the server can't even
see you to try and take your order."

In
a letter sent to FBI Director Christopher Wray, Democratic Sens. Ron
Wyden of Oregon and Amy Klobuchar of Minnesota, who is the ranking
member of the committee with jurisdiction over federal elections,
asked for answers by July 12 regarding steps the agency has taken in
response to the breach of VR Systems’ computer servers.

Robert
Mueller’s report on Russia’s interference in the 2016 election
describes how Kremlin-backed spies installed malware on the network
of an unnamed company that “developed software used by numerous
U.S. counties to manage voter rolls.”

VR
Systems has said it believes it is the company referred to in the
report. The Tallahassee, Florida-based company has maintained,
however, that its system was never penetrated. It told Wyden in a
letter last month that the cybersecurity firm Fire Eye conducted a
security audit and found no evidence of a breach.

… The
Department of Homeland Security said last week that its computer
experts will examine North Carolina polling equipment supplied by VR
Systems , at the state’s request. The forensic analysis will look
at laptops and replicas of computer hard drives that were used in
heavily Democratic Durham County to determine whether hacking was
responsible for malfunctions on election day in 2016.

State
and local officials said previously they found no indication that the
software system, used for voter registration and check-in, had been
targeted by hackers, but
they never did a forensic examination. VR Systems has blamed the
trouble on poorly trained poll workers and inadequate computer
maintenance. A report by a security consultant hired by Durham
County’s elections board supported that claim.

… Senator
Ron Wyden, the Oregon Democrat who sits on the Intelligence
Committee, predicts that the
2020 election will make what happened in 2016 “look like small
potatoes.”
“It’s not just the Russians,” he told me. “There are
hostile foreign actors who are messing with two hundred years’
worth of really precious history.” Wyden recently reintroducedthe
pave
Act,
a wish list of election-security provisions that failed to get
through the Senate last year. The measure includes the use of
hand-marked paper ballots and a prohibition on wireless modems and
other kinds of Internet connectivity, all of which have been
advocated by computer scientists and other election experts for
years.

The Austrian Supreme Court has rejected
all attempts by Facebook to block a lawsuit in Vienna on fundamental
privacy issues.

Facebook had attempted to block the case
by Austrian lawyer and privacy activist Max Schrems by questioning
whether it is possible to bring a case about rights under the EU’s
General Data Protection Regulation (GDPR) before the courts.

Facebook argued that only the Irish data
protection commissioner has jurisdiction in this case, while the
Vienna Regional Court declared that it did not have jurisdiction.

However, the
Appellate Court and the Austrian Supreme Court have now made it clear
that everyone has a right to file a lawsuit based on the GDPR.

… Google’s
privacy policy evolved over two decades — along with its
increasingly complicated data collection practices — from a
two-minute read in 1999 to a peak of 30 minutes by 2018.

The
policy became more readable at the expense of brevity after the
introduction of the General Data Protection Regulation, the European
Union data privacy protection framework that went into effect a year
ago. The regulation includes a clause requiring privacy policies to
be delivered in a “concise, transparent and intelligible form,
using clear and plain language.”

… And
if states continue to draft their own data protection laws, as
California is doing with its Consumer Privacy Act, privacy policies
could balloon with location-specific addendums.

CRS
Legal Sidebar via LC – Regulating
Big Tech: Legal Implications. June 11, 2019.
“Amidst growing debate over the legal framework governing social
media sites and other technology companies, several Members of
Congress have expressed interest in expanding current regulations of
the major American technology companies, often referred to as “Big
Tech.” This Legal Sidebar provides a high-level overview of the
current regulatory framework governing Big Tech, several proposed
changes to that framework, and the legal issues those proposals may
implicate. The Sidebar also contains a list of additional resources
that may be helpful for a more detailed evaluation of any given
regulatory proposal…”

Wednesday, June 12, 2019

Since May 21st, a virus has shut down
Philadelphia’s online court system, bringing network access to a
standstill. The problems started unexpectedly: suddenly, no one
could seem to access the system to file documents. “It wasn’t
working,” says Rachel Gallegos, a senior staff attorney with the
civil legal aid organization Community Legal Services. “I thought
it was my computer.”

Alternative rock legends Radiohead on Tuesday
released an 18-hour trove of private recordings from their 1997 album
"OK Computer" after getting hacked by someone seeking a
ransom of $150,000 for the music.

The genre-banding English musicians uploaded the
1.8-gigabyte collection of recording session outtakes and rare live
performances on their radiohead.bandcamp.com website.

The songs can be accessed online for free.

Security is complicated. Third parties can help,
but it’s still your responsibility.

The
SEC recently issued a risk
alertwarning
about using vendors and cloud-based platforms. Many broker dealers
and investment advisors are turning to these third parties to store
customer data. In its alert, the SEC’s Office of Compliance
Inspections and Examinations warns
firms that relying on those third parties’ security tools is not,
in and of itself, sufficient for the companies to demonstrate
compliance with Regulations S-P and S-ID.
These regulations require broker-dealers and investment advisers to
protect customer records and detect and prevent identity theft.

Spain’s
football league (La Liga) has been fined a total of EUR 250,000 by
the country’s data protection agency (AEPD) for using a mobile app
to
remotely activate smartphone microphones,
reports local daily El Diario. The league last year admittedthat
its highly popular official app, which is used by 4 million people in
Spain to check incoming results live, can monitor
user location and activate microphones to identify whether smartphone
owners are watching a game at a public venue via an illegal feed.
One of the app’s requested permissions is for access to user
microphones and geopositioning “to detect fraud in the consumption
of football in unauthorised public establishments”.

Cybersecurity:
These are the Internet of Things devices that are most targeted by
hackers

… Research
from cybersecurity company SAM Seamless Network found that security
cameras represent 47 percent of vulnerable devices installed on home
networks.

According
to the data, the average US household contains 17 smart devices while
European homes have an average of 14 devices connected to the
network.

… Figures
from the security firm suggest that the average device is the target
of an average of five attacks per day, with midnight the most common
time for attacks to be executed – it's likely that at this time of
the night, the users will be asleep and not paying attention to
devices, so won't be witness to a burst of strange behavior.

As
we recently noted, Washington state
amended its data breach notification law on May 7 to
expand the definition of “personal information” and shorten the
notification deadline (among
other changes).
Not to be outdone by its sister state to the north, Oregon followed
suit shortly thereafter— Senate
Bill 684passed
unanimously in both legislative bodies on May 20, and was signed into
law by Governor Kate Brown on May 24. The amendments will become
effective January 1, 2020.

Among
the changes effected by SB 684 is a trimming of the Act’s short
title—now styled the “Oregon Consumer Information Protection Act”
or “OCIPA” (formerly the “Oregon Consumer Identity Theft
Protection Act” or “OCITPA”). Apart from establishing a much
more palatable acronym, the amended short title mirrors the national(and
international)
trend of expanding laws beyond mere “identity theft protection”
to focus on larger scale consumer
privacy and data rights.

Texas
is one of the many states that looked to be following in the
footsteps of California’s enactment of a broad consumer privacy law
(the California Consumer Privacy Act), which has far-ranging
implications for businesses and consumers. Two comprehensive data
privacy bills, HB 4390 and HB 4518, were filed and heard at the last
legislative session. HB 4518, also known as the Texas Consumer
Privacy Act, proposed overarching consumer protection legislation
that closely resembled the California Consumer Privacy Act. HB 4518
stalled in the Texas House of Representatives in favor of HB 4390. HB
4390, also known as the Texas Privacy Protection Act, was introduced
as comprehensive data privacy legislation, but was significantly less
detailed than HB 4518. HB 4390 went through several rounds of
revisions in both the Texas House and Senate until it was whittled
down to the final version, which revises the notification
requirements of the Texas
Identity Theft Enforcement and Protection Actand
creates the Texas Privacy Protection Advisory Council in order to
develop recommendations for future data privacy legislation. HB
4390has
passed both the Texas House and Senate and is awaiting signature from
the governor to be enacted.

… The
deepfake video of Mark Zuckerberg was created for an art
installation on display in Sheffield called Spectre.
It is designed to draw attention to how people can be monitored and
manipulated via social media in light of the Cambridge Analytica
affair - among other scandals.

It features a
computer-generated image of the chief executive's face merged with
footage of his body sourced from a video presentation given in 2017
at an office in Facebook's Silicon Valley headquarters. An actor
provided the audio recording it is synched to.

There’s
no better way of ensuring you win a race than by setting the rules
yourself. That may be behind the recent rush by countries,
international organizations, and companies to put forward their
visions for how the AI
raceshould
be governed.

But
given the recent flurry of AI guidelines, it may well have been
motivated by a desire not to be left out of the conversation. The
previous week the OECD, backed by the US, released its own “guiding
principles”for
the industry, and in April the EU released “ethical
guidelines.”

Researchers
at the University of Tokyo have developed
a
robotthat
always wins
at rock-paper-scissors. It watches the human player's hand, figures
out which finger position the human is about to deploy, and reacts
quickly enough to always win.

Will we need
to delete the data and then retrain our AI? Expensive if necessary.

WHEN THE EUROPEAN Union enacted the General Data
Protection Regulation (GDPR) a year ago, one of the most
revolutionary aspects of the regulation was the “right to be
forgotten”—an often-hyped and debated right, sometimes perceived
as empowering individuals to request the erasure of their information
on the internet, most commonly from search engines or social
networks.

… Virtually every modern enterprise is in some
way or another collecting data on its customers or users, and that
data is stored, sold, brokered, analyzed, and used to train AI
systems. For instance, this is how recommendation engines work—the
next video we should watch online, the next purchase, and so on, are
all driven by this process.

At present, when data is sucked into this complex
machinery, there’s no efficient way to reclaim it and its influence
on the resulting output. When we think about exerting the right to
be forgotten, we recognize that reclaiming specific data from a vast
number of private businesses and data brokers offers its own unique
challenge. However, we need to realize that even if we can succeed
there, we’ll still be left with a difficult question—how do we
teach a machine to “forget” something?

“We
already have in our possession the tools we need to enforce the
antitrust laws in cases involving digital technologies,” Delrahim
said. “U.S. antitrust law is flexible enough to be applied to
markets old and new.”

… One
way of evaluating whether a company has violated antitrust law is
through what Delrahim called the “no economic sense test.” A
monopoly that makes a decision that makes no economic sense except
for “its tendancy to eliminate or lessen competition” would fail
the test, according to Delrahim’s definition.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.